Sourcefire VRT Rules Update

Date: 2007-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
11968 <-> VOIP-SIP Inbound INVITE Message (voip.rules)
11969 <-> VOIP-SIP Inbound 401 Unauthorized Message (voip.rules)
11970 <-> VOIP-SIP Cisco 7940/7960 INVITE Remote-Party-ID Denial of Service Attempt (voip.rules)
11971 <-> VOIP-SIP CSeq Buffer Overflow Attempt (voip.rules)
11972 <-> VOIP-SIP Max-Forwards Value Over 70 (voip.rules)
11973 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt (voip.rules)
11974 <-> VOIP-SIP Response Too Small (voip.rules)
11975 <-> VOIP-SIP Via Header Missing SIP Field (voip.rules)
11976 <-> VOIP-SIP Overflow In URI Type - SIP (voip.rules)
11977 <-> VOIP-SIP Overflow In URI Type - Tel (voip.rules)
11978 <-> VOIP-SIP From Header Field Buffer Overflow Attempt (voip.rules)
11979 <-> VOIP-SIP Oversized SDP Media Port (voip.rules)
11980 <-> VOIP-SIP SDP Attribute Possible Buffer Overflow Attempt (voip.rules)
11981 <-> VOIP-SIP MultiTech INVITE Field Buffer Overflow Attempt (voip.rules)
11982 <-> VOIP-SIP Recursive URL-Encoded Data In To Header (voip.rules)
11983 <-> VOIP-SIP SDP Negative Time Value (voip.rules)
11984 <-> VOIP-SIP SDP Oversized Time Value (voip.rules)
11985 <-> VOIP-SIP Expires Header Overflow Attempt (voip.rules)
11986 <-> VOIP-SIP Invalid Characters In Authorization Response Parameter (voip.rules)
11987 <-> VOIP-SIP Via Header Format String Attempt (voip.rules)
11988 <-> VOIP-SIP From Header Format String Attempt (voip.rules)
11989 <-> VOIP-SIP Call-ID Header Format String Attempt (voip.rules)
11990 <-> VOIP-SIP Contact Header Format String Attempt (voip.rules)
11991 <-> VOIP-SIP CSeq Header Format String Attempt (voip.rules)
11992 <-> VOIP-SIP Content-Type Header Format String Attempt (voip.rules)
11993 <-> VOIP-SIP Call-ID Header Invalid Characters Detected (voip.rules)
11994 <-> VOIP-SIP Contact Header Invalid Characters Detected (voip.rules)
11995 <-> VOIP-SIP Content-Type Header Invalid Characters Detected (voip.rules)
11996 <-> VOIP-SIP CSeq Header Invalid Characters Detected (voip.rules)
11997 <-> VOIP-SIP From Header Invalid Characters Detected (voip.rules)
11998 <-> VOIP-SIP To Header Invalid Characters Detected (voip.rules)
11999 <-> VOIP-SIP Via Header Invalid Characters Detected (voip.rules)
12000 <-> VOIP-SIP INVITE Invalid IP Address (voip.rules)
12001 <-> VOIP-SIP SDP Version Overflow Attempt (voip.rules)
12002 <-> VOIP-SIP BYE Flood (voip.rules)
12003 <-> VOIP-SIP CANCEL Flood (voip.rules)
12004 <-> VOIP-SIP INVITE Message Invalid Content-Length Size Of Zero (voip.rules)
12005 <-> VOIP-SIP Invalid SDP Connection Value (voip.rules)
12006 <-> VOIP-SIP Outbound INVITE Message (voip.rules)
12007 <-> VOIP-SIP Outbound 401 Unauthorized Message (voip.rules)
12008 <-> VOIP-SIP Request Too Small (voip.rules)
12031 <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules)
12032 <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules)
12033 <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)
12034 <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules)
12035 <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules)
12036 <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules)
12037 <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules)
12038 <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules)
12039 <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules)
12040 <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)
12041 <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules)
12042 <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules)
12061 <-> SIP Request Line Equal To Zero (voip.rules)
12072 <-> VOIP-SIP Response code not three digits (voip.rules)
12073 <-> VOIP-SIP Inbound 100 Trying Message (voip.rules)
12074 <-> VOIP-SIP Outbound 100 Trying Message (voip.rules)
12112 <-> VOIP-SIP Sivus Scanner Detected (voip.rules)
12113 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules)
12167 <-> VOIP-SIP Multiple At Signs In SIP URI (voip.rules)
12170 <-> VOIP-SIP Inbound 408 Request Timeout Message (voip.rules)
12171 <-> VOIP-SIP Outbound 408 Request Timeout Message (voip.rules)
12172 <-> VOIP-SIP Inbound 501 Not Implemented Message (voip.rules)
12173 <-> VOIP-SIP Outbound 501 Not Implemented Message (voip.rules)
12174 <-> VOIP-SIP Inbound 604 Does Not Exist Anywhere Message (voip.rules)
12175 <-> VOIP-SIP Outbound 604 Does Not Exist Anywhere Message (voip.rules)
12176 <-> VOIP-SIP Inbound 415 Unsupported Media Type Message (voip.rules)
12177 <-> VOIP-SIP Outbound 415 Unsupported Media Type Message (voip.rules)
12178 <-> VOIP-SIP Inbound 481 Call/Leg Transaction Does Not Exist (voip.rules)
12179 <-> VOIP-SIP Outbound 481 Call/Leg Transaction Does Not Exist (voip.rules)
12180 <-> VOIP-SIP Inbound 404 Not Found (voip.rules)
12181 <-> VOIP-SIP Outbound 404 Not Found (voip.rules)
12458 <-> POLICY portmapper sadmin port query (policy.rules)
12459 <-> WEB-CLIENT Microsoft Visual Studio 6 PDWizard.ocx ActiveX clsid access (web-client.rules)
12460 <-> WEB-CLIENT Microsoft Visual Studio 6 PDWizard.ocx ActiveX clsid unicode access (web-client.rules)
12461 <-> WEB-CLIENT Microsoft Visual Studio 6 VBTOVSI.dll ActiveX clsid access (web-client.rules)
12462 <-> WEB-CLIENT Microsoft Visual Studio 6 VBTOVSI.dll ActiveX clsid unicode access (web-client.rules)
12463 <-> EXPLOIT Crystal Reports RPT file handling buffer overflow attempt (exploit.rules)
12464 <-> NNTP cancel overflow attempt (nntp.rules)

Updated rules:
1755 <-> IMAP partial body buffer overflow attempt (imap.rules)
1842 <-> IMAP login buffer overflow attempt (imap.rules)
1844 <-> IMAP authenticate overflow attempt (imap.rules)
1845 <-> IMAP list literal overflow attempt (imap.rules)
1902 <-> IMAP lsub literal overflow attempt (imap.rules)
1903 <-> IMAP rename overflow attempt (imap.rules)
1904 <-> IMAP find overflow attempt (imap.rules)
1930 <-> IMAP auth literal overflow attempt (imap.rules)
1993 <-> IMAP login literal buffer overflow attempt (imap.rules)
2046 <-> IMAP partial body.peek buffer overflow attempt (imap.rules)
2105 <-> IMAP authenticate literal overflow attempt (imap.rules)
2106 <-> IMAP lsub overflow attempt (imap.rules)
2107 <-> IMAP create buffer overflow attempt (imap.rules)
2118 <-> IMAP list overflow attempt (imap.rules)
2119 <-> IMAP rename literal overflow attempt (imap.rules)
2120 <-> IMAP create literal buffer overflow attempt (imap.rules)
2273 <-> IMAP login brute force attempt (imap.rules)
2330 <-> IMAP auth overflow attempt (imap.rules)
2430 <-> NNTP newgroup overflow attempt (nntp.rules)
2431 <-> NNTP rmgroup overflow attempt (nntp.rules)
2497 <-> IMAP SSLv3 invalid data version attempt (imap.rules)
2517 <-> IMAP PCT Client_Hello overflow attempt (imap.rules)
2529 <-> IMAP SSLv3 Client_Hello request (imap.rules)
2530 <-> IMAP SSLv3 Server_Hello request (imap.rules)
2531 <-> IMAP SSLv3 invalid Client_Hello attempt (imap.rules)
2546 <-> FTP MDTM overflow attempt (ftp.rules)
2664 <-> IMAP login format string attempt (imap.rules)
2665 <-> IMAP login literal format string attempt (imap.rules)
3007 <-> IMAP delete overflow attempt (imap.rules)
3008 <-> IMAP delete literal overflow attempt (imap.rules)
3058 <-> IMAP copy literal overflow attempt (imap.rules)
3065 <-> IMAP append literal overflow attempt (imap.rules)
3066 <-> IMAP append overflow attempt (imap.rules)
3067 <-> IMAP examine literal overflow attempt (imap.rules)
3068 <-> IMAP examine overflow attempt (imap.rules)
3069 <-> IMAP fetch literal overflow attempt (imap.rules)
3070 <-> IMAP fetch overflow attempt (imap.rules)
3071 <-> IMAP status literal overflow attempt (imap.rules)
3072 <-> IMAP status overflow attempt (imap.rules)
3073 <-> IMAP subscribe literal overflow attempt (imap.rules)
3074 <-> IMAP subscribe overflow attempt (imap.rules)
3075 <-> IMAP unsubscribe literal overflow attempt (imap.rules)
3076 <-> IMAP unsubscribe overflow attempt (imap.rules)
3487 <-> IMAP SSLv2 Client_Hello request (imap.rules)
3488 <-> IMAP SSLv2 Client_Hello with pad request (imap.rules)
3489 <-> IMAP TLSv1 Client_Hello request (imap.rules)
3490 <-> IMAP TLSv1 Client_Hello via SSLv2 handshake request (imap.rules)
3491 <-> IMAP SSLv2 Server_Hello request (imap.rules)
3492 <-> IMAP TLSv1 Server_Hello request (imap.rules)
4637 <-> EXPLOIT MailEnable HTTPMail buffer overflow attempt (exploit.rules)
4645 <-> IMAP search format string attempt (imap.rules)
4646 <-> IMAP search literal format string attempt (imap.rules)
5696 <-> IMAP delete directory traversal attempt (imap.rules)
5697 <-> IMAP examine directory traversal attempt (imap.rules)
5698 <-> IMAP list directory traversal attempt (imap.rules)
5699 <-> IMAP lsub directory traversal attempt (imap.rules)
5700 <-> IMAP rename directory traversal attempt (imap.rules)
5701 <-> IMAP status directory traversal attempt (imap.rules)
5702 <-> IMAP subscribe directory traversal attempt (imap.rules)
5703 <-> IMAP unsubscribe directory traversal attempt (imap.rules)
5704 <-> IMAP SELECT overflow attempt (imap.rules)
5705 <-> IMAP CAPABILITY overflow attempt (imap.rules)
8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules)
8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules)
8440 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules)
10011 <-> IMAP Novell NetMail APPEND command buffer overflow attempt (imap.rules)
11004 <-> IMAP CRAM-MD5 authentication method buffer overflow (imap.rules)
12444 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX clsid access (web-client.rules)
12445 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX clsid unicode access (web-client.rules)
12446 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX function call access (web-client.rules)
12447 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX function call unicode access (web-client.rules)
12448 <-> WEB-CLIENT Microsoft Agent Control ActiveX clsid access (web-client.rules)
12449 <-> WEB-CLIENT Microsoft Agent Control ActiveX clsid unicode access (web-client.rules)
12450 <-> WEB-CLIENT Microsoft Agent Control ActiveX function call access (web-client.rules)
12451 <-> WEB-CLIENT Microsoft Agent Control ActiveX function call unicode access (web-client.rules)
12452 <-> WEB-CLIENT MS Agent File Provider ActiveX clsid access (web-client.rules)
12453 <-> WEB-CLIENT MS Agent File Provider ActiveX clsid unicode access (web-client.rules)